Community
Participate
Working Groups
A potential Null Dereference vulnerability was found in the Mosquitto library which could lead in a denial of service in any library implementation. The affected code is shown below: File: lib/messages_mosq.c - 154 154 void _mosquitto_messages_reconnect_reset(struct mosquitto *mosq) 155 { 156 struct mosquitto_message_all *message; 157 struct mosquitto_message_all *prev = NULL; 158 assert(mosq); 159 160 pthread_mutex_lock(&mosq->in_message_mutex); 161 message = mosq->in_messages; 162 mosq->in_queue_len = 0; 163 while(message){ 164 mosq->in_queue_len++; 165 message->timestamp = 0; 166 if(message->msg.qos != 2){ 167 if(prev){ 168 prev->next = message->next; 169 _mosquitto_message_cleanup(&message); 170 message = prev; 171 }else{ 172 mosq->in_messages = message->next; 173 _mosquitto_message_cleanup(&message); 174 message = mosq->in_messages; 175 } 176 }else{ 177 /* Message state can be preserved here because it should match 178 * whatever the client has got. */ 179 } 180 prev = message; 181 message = message->next; 182 } Taking into account that there is only ONE message within the “mosq->in_messages” pointer: - Line 161: A “mosq->in_messages” (with only one message) is assigned to the “message” pointer - Line 163: Accessing into the while loop - Line 167: As there is only one message, the “prev” struct is NULL so it takes the FALSE branch (line 171) - Line 172: As there is only one message, the “message->next” is NULL, so “mosq->in_messages” is NULL - Line 174: “message” pointer is NULL as “mosq->in_messages” is NULL - Line 181: The NULL dereference vulnerability is triggered as the code is trying to access to a NULL pointer. An Address Sanitizer report of the NULL Dereference vulnerability (which does not provide too much information) is shown below: AddressSanitizer:DEADLYSIGNAL ================================================================= ==30788==ERROR: AddressSanitizer: SEGV on unknown address 0x000000000000 (pc 0x7fde65abe328 bp 0x7ffe3be3cb50 sp 0x7ffe3be3c920 T0) ==30788==The signal is caused by a READ memory access. ==30788==Hint: address points to the zero page. AddressSanitizer:DEADLYSIGNAL AddressSanitizer: nested bug in the same thread, aborting.
Hi, Just wondering if further information is required to confirm/work on this vulnerability. If it is so, just let me know. Thanks, Daniel
There is sufficient information, thank you. This is my cvss evaluation, would you agree? CVSS v2 2.2 points https://nvd.nist.gov/vuln-metrics/cvss/v2-calculator?vector=(AV:N/AC:H/Au:N/C:N/I:N/A:P/E:U/RL:ND/RC:C) CVSS v3 3.7 points https://www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:H/PR:N/UI:N/S:U/C:N/I:N/A:L/E:U/RC:C
Hi Roger, Thank you for your comments. The concern I have about this issue is that it was triggered on two "mosquitto_sub" clients which were connected to a reliable mosquitto broker. However, this broker was being "attacked" by a malicious third client which was sending crafted requests to the reliable mosquitto broker. Therefore, I am worried that a third client (connected to a broker) could crash other clients which are also connected to the same broker. Regards, Daniel
To register the CVE, I need a single paragraph description and a CWE [1]. Can you provide that please? [1] https://cwe.mitre.org/
(In reply to Wayne Beaton from comment #4) > To register the CVE, I need a single paragraph description and a CWE [1]. > Can you provide that please? > > [1] https://cwe.mitre.org/ Please, find below the issue description and its CWE reference: Description: A Null Dereference vulnerability was found in the Mosquitto library which could lead to crashes for those applications using the library. CWE: https://cwe.mitre.org/data/definitions/476.html
> Description: A Null Dereference vulnerability was found in the Mosquitto > library which could lead to crashes for those applications using the library. > CWE: https://cwe.mitre.org/data/definitions/476.html Thanks for this, and sorry for the delay. Can you tell me what versions are affected by this?
(In reply to Wayne Beaton from comment #6) > > Description: A Null Dereference vulnerability was found in the Mosquitto > > library which could lead to crashes for those applications using the library. > > CWE: https://cwe.mitre.org/data/definitions/476.html > > Thanks for this, and sorry for the delay. > > Can you tell me what versions are affected by this? Hi Wayne, Tbh I tested the vulnerability within the last versions, I cannot ensure from what version it is vulnerable. I am sorry. Maybe devs have more information about this. Is this CVE going to be available soon? Thanks, Daniel
This affects versions 1.0 to 1.4.15 inclusive.
(In reply to Daniel Romero from comment #7) > Is this CVE going to be available soon? I will promote the CVE when the project team requests that I do so. Having said that, in the absence of an explicit request our guidelines state vulnerability should be disclosed no later than three months after they've been reported. Rogers, is there any reason to delay further?
No, please go ahead.
Sorry for the delay. https://github.com/CVEProject/cvelist/pull/1770
